CVE-2022-24760
📋 TL;DR
CVE-2022-24760 is a critical Remote Code Execution vulnerability in Parse Server caused by prototype pollution in DatabaseController.js. It allows attackers to execute arbitrary code on affected servers, potentially compromising the entire system. All Parse Server installations using MongoDB (and likely other databases) in default configuration are vulnerable.
💻 Affected Systems
- Parse Server
📦 What is this software?
Parse Server by Parseplatform
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal sensitive data, deploy ransomware, or pivot to other systems in the network.
Likely Case
Attackers gain remote code execution capabilities, potentially leading to data theft, service disruption, or installation of backdoors for persistent access.
If Mitigated
With proper network segmentation and least privilege, impact could be limited to the Parse Server application and its associated database.
🎯 Exploit Status
The vulnerability is in the default configuration and has public proof-of-concept code available, making exploitation relatively straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.10.7
Vendor Advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-p6h4-93qp-jhcm
Restart Required: Yes
Instructions:
1. Backup your Parse Server configuration and data. 2. Update Parse Server to version 4.10.7 or later using npm: 'npm update parse-server'. 3. Restart the Parse Server service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Manual patch application
allApply the specific code fix from the GitHub commit if unable to upgrade immediately
Apply changes from commit 886bfd7cac69496e3f73d4bb536f0eec3cba0e4d to DatabaseController.js
🧯 If You Can't Patch
- Implement strict network access controls to limit Parse Server exposure to only trusted sources
- Deploy web application firewall (WAF) rules to detect and block prototype pollution attempts
🔍 How to Verify
Check if Vulnerable:
Check Parse Server version - if below 4.10.7, the system is vulnerableCheck Version:
npm list parse-server | grep parse-serverVerify Fix Applied:
Verify Parse Server version is 4.10.7 or higher and check that the DatabaseController.js file contains the fix from commit 886bfd7cac69496e3f73d4bb536f0eec3cba0e4d📡 Detection & Monitoring
Log Indicators:
- Unusual database queries with prototype pollution patterns
- Unexpected process executions from Parse Server
- Error logs showing malformed requests to DatabaseController endpoints
Network Indicators:
- HTTP requests containing prototype pollution payloads to Parse Server endpoints
- Outbound connections from Parse Server to unexpected destinations
SIEM Query:
source="parse-server" AND ("prototype" OR "__proto__" OR "constructor") AND status=200🔗 References
- https://github.com/parse-community/parse-server/commit/886bfd7cac69496e3f73d4bb536f0eec3cba0e4d
- https://github.com/parse-community/parse-server/security/advisories/GHSA-p6h4-93qp-jhcm
- https://www.huntr.dev/bounties/ac24b343-e7da-4bc7-ab38-4f4f5cc9d099/
- https://github.com/parse-community/parse-server/commit/886bfd7cac69496e3f73d4bb536f0eec3cba0e4d
- https://github.com/parse-community/parse-server/security/advisories/GHSA-p6h4-93qp-jhcm
- https://www.huntr.dev/bounties/ac24b343-e7da-4bc7-ab38-4f4f5cc9d099/
